|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Proposal for protection from windows rootkit drivers
From: David Welch (david.welch
ST-EDMUND-HALL.OXFORD.AC.UK)Date: Thu Jun 08 2000 - 09:15:17 CDT
- Next message: David LeBlanc: "Re: Account lockups follow-up"
- Previous message: Russ: "Potential vulnerability in Unify eWave ServletExec"
- In reply to: IPD: "Proposal for protection from windows rootkit drivers"
- Reply: David Welch: "Re: Proposal for protection from windows rootkit drivers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
On Thu, 8 Jun 2000, IPD wrote:
> If there is a mechanism to load and execute a device driver without
> using Service Control Manager functions and without the need to write to
> the Services portion of the registry, then there may be a way to
> circumvent the IPD. We are not aware of any machanism to do this.
> However, if one is discovered the IPD could be ammended to hook and
> alter the functions used.
>
According to 'Windows NT/2000 Native API Reference' ZwSetSystemInformation
with the classes SystemLoadImage and SystemLoadAndCallImage can be used to
load code into kernel-mode. Memory mapping \Device\PhysicalMemory could
also be used to overwrite existing kernel-mode code though it is more
complex to use.
Cheers,
David Welch
- Next message: David LeBlanc: "Re: Account lockups follow-up"
- Previous message: Russ: "Potential vulnerability in Unify eWave ServletExec"
- In reply to: IPD: "Proposal for protection from windows rootkit drivers"
- Reply: David Welch: "Re: Proposal for protection from windows rootkit drivers"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]